Signature verification system, signature device, verification device, and signature verification method

ABSTRACT

A group structure preserving signature system that can be applied to groups based on symmetric bilinear mapping, that reduces the signature length, and that enables efficient computation of verification equations is provided. At least, information indicating p, G 1 , G 2 , G T , e, g 1 , and g 2 , information needed to obtain e(k u , h v ), and data that includes g s , h s , g t , h t , {g 1 , h 1 }, . . . , {g K , h K } are held as a public key vk, and data that includes vk, γ s , δ s , γ t , δ t , δ u , δ v , {γ 1 , δ 1 }, . . . , {γ K , δ K } are held as a secret key sk. A signature device selects ζ and ρ at random from integers between 0 and p−1, both inclusive, obtains w, s, t, and r, and generates, as a signature σ, data that includes w, s, t, and r. A verification device verifies the signature σ by using two verification equations.

TECHNICAL FIELD

The present invention relates to a signature verification system, asignature device, a verification device, and a signature verificationmethod that provide a digital signature method which is easy to use inencryption protocols.

BACKGROUND ART

A digital signature is a value s that can be calculated only when asigner who knows a secret key sk corresponding to a public key pk usesthe secret key sk correctly for a message M, and the value is used as anelectronic signature. Any party can verify the validity of the correctlycalculated signature by using the public key pk, and any third partiesthat do not know the secret key sk cannot obtain the valid signature s.

The digital signature is used as a basic element in a variety ofencryption protocols used for electronic money, credentials systems, andthe like. In particular, advanced uses are frequently found amongapplications that require private information of the user. For example,in combination with zero-knowledge proofs, if elements (public key pk,signature s, message M) of a signature are true ones that satisfy averification equation, any third party is convinced of the fact withsome or all of the elements kept secret.

Recent progress in pairing technology has enabled zero-knowledge proofs(Jens Groth and Amit Sahai, “Efficient Non-interactive Proof Systems forBilinear Groups,” Eurocrypt 2008, LNCS 2965, pp. 415-432) thatefficiently prove the fact that elements of a group satisfy an equalitydefined as a product of bilinear mapping. Accordingly, if all theelements of a signature are group elements and if the signatureverification equation is a product of bilinear mapping, thecorresponding signature system can easily keep any element of thesignature secret. The signature system in which all the elements of asignature are group elements and the signature verification equation isa product of bilinear mapping is referred to as a group structurepreserving signature system.

Known conventional technologies of group structure preserving signaturesystems include the technologies in Non-patent literatures 1 to 4. Thetechnology in Non-patent literature 1 is referred to as a CL-Signaturemethod. This method, however, uses idealized impractical elements, whichare referred to as random oracles, and its security in practicalimplementations is unclear.

The system in Non-patent literature 2 is an improved CL-Signature methodwhich does not use random oracles. This method, however, ensuressecurity only with respect to a message selected at random, and securityfrom chosen message attacks, which is generally demanded as the securityof signatures, is unclear.

Non-patent literature 3 describes a method that is guaranteed to beresistant to chosen message attacks. In this method, a signatureconsists of seven group elements σ=(z, r, s, t, u, v, w) that satisfythe two verification equations given below.

e(a ₁ ,ã ₁)e(a ₂ ,ã ₂)=e(g _(z) ,z)e(g _(r) ,r)e(s,t)Π_(i=1) ^(k) e(g_(i) ,m _(i)),

e(b ₁ ,{tilde over (b)} ₁)e(b ₂ ,{tilde over (b)} ₂)=e(h _(z) ,z)e(h_(u) ,u)e(v,w)Π_(i=1) ^(k) e(h _(i) ,m _(i))

All the elements in the verification equations that are not included inσ are public keys.

The system in non-patent literature 4 allows a signature to be composedof a smaller number of group elements than the system in Non-patentliterature 3. This method, however, provides security only in groupsbased on asymmetric bilinear mapping, and there is specific attack ingroups based on symmetric bilinear mapping, which is used often inencryption protocols.

PRIOR ART LITERATURES Non-Patent Literatures

Non-patent literature 1: Jan Camenisch and Anna Lysyanskaya, “SignatureSchemes and Anonymous Credentials form Bilinear Maps,” Crypto 2004, LNCS3152, pp. 56-72

Non-patent literature 2: Matthew Green and Susan Hohenberger,“Universally Composable Adaptive Oblivious Transfer,” IACR e-Printarchive, 2008/163 [retrieved on Dec. 31, 2011], Internet <URLhttp://eprint.iacr.org/cgi-bin/getfile.pl?entry=2008/163&version=20080806:150034&file=163.pdf_(>)

Non-patent literature 3: Masayuki Abe, Kristiyan Haralambiev and MiyakoOhkubo, “Signing on Elements in Bilinear Groups for Modular ProtocolDesign,” IACR e-print 2010/133 [retrieved on Dec. 31, 2011], Internet<URL http://eprint.iacr.org/2010/133 22

Non-patent literature 4: Masayuki Abe, Jens Groth, KristiyanHaralambiev, and Miyako Ohkubo, “Optimal Structure-Preserving Signaturesin Asymmetric Bilinear Groups,” Crypto 2011, Springer

SUMMARY OF THE INVENTION Problems to be Solved by the Invention

The security of the technologies in Non-patent literatures 1 and 2 inactual implementations is unclear. In the system in Non-patentliterature 3, a signature consists of seven group elements, and toverify a signature consisting of K group elements with respect to amessage, 10+2K pairing operations are needed. This means a longsignature bit length and a large amount of computation. The system inNon-patent literature 4 does not provide security in groups based onsymmetric bilinear mapping.

In view of the problems given above, an object of the present inventionis to provide a group structure preserving signature system that can beapplied also to groups based on symmetric bilinear mapping, that has ashort signature length, and that enables efficient computation ofverification equations.

Means to Solve the Problems

A signature verification system according to the present inventioncomprises a signature device which generates a signature and averification device which verifies the signature. It is assumed that G₁,G₂, and G_(T) represent groups of order p, e represents pairing ofG₁×G₂→G_(T), g₁ represents any generator of group G₁, g₂ represents anygenerator of group G₂, K represents a predetermined integer not smallerthan 1, k represents an integer between 1 and K, both inclusive, m₁, . .. , m_(K) represent elements of group G₁, message M is M=(m₁, . . . ,m_(K)), ̂ represents a power; γ_(s), δ_(s), γ_(t), δ_(t), γ_(u), δ_(u),γ_(v), δ_(v), {γ₁, δ₁}, . . . , {γ_(K), δ_(K)} are integers between 0and p−1, both inclusive; and g_(s), h_(s), h_(t), h_(t), g_(u), h_(u),g_(v), h_(v), {g₁, h₁}, . . . , {g_(K), h_(K)} are given as follows:

g_(s) = g₁{circumflex over ( )}γ_(s) h_(s) = g₁{circumflex over( )}δ_(s) g_(t) = g₁{circumflex over ( )}γ_(t) h_(t) = g₁{circumflexover ( )}δ_(t) g_(u) = g₁{circumflex over ( )}γ_(u) h_(u) =g₁{circumflex over ( )}δ_(u) g_(v) = g₂{circumflex over ( )}γ_(v) h_(v)= g₂{circumflex over ( )}δ_(v) g_(k) = g₁{circumflex over ( )}γ_(k)h_(k) = g₁{circumflex over ( )}δ_(k)where k=1, . . . , K.

The signature device comprises at least a signature recording unit and asignature generating unit. The signature recording unit recordsinformation indicating p, G₁, G₂, G_(T), e, g₁, and g₂, informationneeded to obtain e(g_(u), g_(v)) and e(h_(u), h_(v)), and data thatincludes g_(s), h_(s), g_(t), h_(t), {g₁, h₁}, . . . , {g_(K), h_(K)} asa public key vk and records data that includes vk, γ_(s), δ_(s), γ_(t),δ_(t), γ_(u), δ_(u), γ_(v), δ_(v), {γ₁, δ₁}, . . . , {γ_(K), δ_(K)} as asecret key sk. The signature generating unit selects ζ and ρ at randomfrom integers between 0 and p−1, both inclusive, obtains w, s, t, and r,as given below,

${w = g_{1}^{\varsigma}},{s = g_{2}^{\rho}},{t = \left( {g_{2}^{{\delta_{u} \cdot \delta_{v}} - {\delta_{s} \cdot \rho}}{\prod\limits_{k = 1}^{K}\; m_{k}^{- \delta_{k}}}} \right)^{1/\delta_{t}}}$$r = \left( {{g_{2}^{{\gamma_{u} \cdot \gamma_{v}} - {\gamma_{s} \cdot \rho}} \cdot t^{- \gamma_{t}}}{\prod\limits_{k = 1}^{K}\; m_{k}^{- \gamma_{k}}}} \right)^{1/\varsigma}$

and generates, as a signature σ, data that includes w, s, t, and r.

The verification device comprises at least a verification recording unitand a verifying unit. The verification recording unit records the publickey vk. The verifying unit checks whether two equations

e(g _(u) ,g _(v))=e(g _(s) ,s)e(g _(t) ,t)(Π_(k=1) ^(K) e(g _(k) ,m_(k)))e(w,r),

e(h _(u) ,h _(v))=e(h _(s,) s)e)(h _(t) ,t)Π_(k=1) ^(K) e(h _(k) ,m_(k))

are satisfied, and determines that the signature is correct when the twoequations are satisfied, or determines that the signature is incorrectwhen at least one of the two equations is not satisfied.

Here, γ_(u) and γ_(v) may be set to 0. In that case, g_(u)=g_(v)=1 ande(g_(u), g_(v))=1, so that the public key vk does not require anyinformation to obtain e(g_(u), g_(v)). The secret key sk does notrequire γ_(u) or γ_(v). The signature generating unit should obtain r,as given below.

$r = \left( {{g_{2}^{{- \gamma_{s}} \cdot \rho} \cdot t^{- \gamma_{t}}}{\prod_{k = 1}^{K}m_{k}^{- \gamma_{k}}}} \right)^{1/\zeta}$

The verifying unit should check whether the two equations given beloware satisfied.

1=e(g _(s) ,s)e(g _(t) ,t)(Π_(k=1) ^(K) e(g _(k) ,m _(k)))e(w,r),

e(h _(u) ,h _(v))=e(h _(s) ,s)e)(h _(t) ,t)Π_(k=1) ^(K) e(h _(k) ,m_(k))

Effects of the Invention

A signature verification system according to the present inventionperforms verification by using two verification equations and can ensuresecurity even with symmetric bilinear mapping, like the method inNon-patent literature 3. In addition, since a signature σ consists offour group elements w, s, t, and r, the signature can be made shorterthan that in Non-patent literature 3, which requires seven groupelements. If γ_(u) and γ_(v) are set to 0, the number of pairingoperations in verification can be reduced to 6+2K; if γ_(u) and γ_(v)are selected at random, the number of operations can be reduced to 7+2K.Therefore, the amount of computation becomes smaller than that for 10+2Koperations in Non-patent literature 3.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a view showing an example configuration of a signatureverification system of the present invention;

FIG. 2 is a view illustrating a processing flow of a signature device;

FIG. 3 is a view illustrating a processing flow of a verificationdevice.

DETAILED DESCRIPTION OF THE EMBODIMENTS

Now, embodiments of the present invention will be described in detail.Components having identical functions will be denoted by the samereference numerals, and a duplicated description thereof will beomitted.

First Embodiment

Configuration and Processing

FIG. 1 shows an example configuration of a signature verification systemof the present invention. FIG. 2 illustrates a processing flow of asignature device, and FIG. 3 illustrates a processing flow of averification device. The signature verification system comprises atleast a signature device 100 and a verification device 200. Thesignature device 100 records a secret key sk and a public key vk andgenerates a signature σ with respect to a message M. The verificationdevice 200 records the public key vk and verifies whether the signatureσ is a correct one generated by using the secret key sk for the messageM. The public key vk, the message M, and the signature σ are shared bythe signature device 100 and the verification device 200, and thesharing means may use a network or a portable recording medium. In FIG.1, the signature device 100 and the verification device 200 areconnected by a network 800.

The following symbols are used below: G₁, G₂, and G_(T) represent groupsof order p; e represents pairing of G₁×G₂→G_(T); g₁ represents anygenerator of group G₁, g₂ represents any generator of group G₂; Krepresents a predetermined integer not smaller than 1; k represents aninteger between 1 and K, both inclusive; m₁, . . . , m_(K) representelements of group G₁; message M is M=(m₁, . . . , m_(K)); ̂ represents apower.

A key generating unit 110 selects γ_(s), δ_(s), γ_(t), δ_(t), γ_(u),δ_(u), γ_(v), δ_(v), {γ₁, δ₁}, . . . , {γ_(K), δ_(K)} from integersbetween 0 and p−1, both inclusive. The selection should be made atrandom. Then, g_(s), h_(s), g_(t), h_(t), g_(u), h_(u), g_(v), h_(v),{g₁, h₁}, {g_(K), h_(K)} are obtained as follows (S110):

g_(s) = g₁{circumflex over ( )}γ_(s) h_(s) = g₁{circumflex over( )}δ_(s) g_(t) = g₁{circumflex over ( )}γ_(t) h_(t) = g₁{circumflexover ( )}δ_(t) g_(u) = g₁{circumflex over ( )}γ_(u) h_(u) =g₁{circumflex over ( )}δ_(u) g_(v) = g₂{circumflex over ( )}γ_(v) h_(v)= g₂{circumflex over ( )}δ_(v) g_(k) = g₁{circumflex over ( )}γ_(k)h_(k) = g₁{circumflex over ( )}δ_(k) (k = 1, . . . , K)These data items may be obtained beforehand and may be used in commonfor multiple signatures or may be changed each time a signature isgenerated.

The signature device 100 comprises at least a signature recording unit190 and a signature generating unit 120. The key generating unit 110 maybe comprised in the signature device 100 or in a different unit. Thesignature device 100 may also comprise a signature input-output unit 180that exchanges data through the network 800. The signature recordingunit 190 records information indicating p, G₁, G₂, G_(T), e, g₁, and g₂,information needed to obtain e(g_(u), g_(v)) and e(h_(u), h_(v)), anddata that includes g_(s), h_(s), g_(t), h_(t), {g₁, h₁}, . . . , {g_(K),h_(K)}, as the public key vk, and records data that includes vk, γ_(s),δ_(s), γ_(t), δ_(t), γ_(u), δ_(u), γ_(v), δ_(v), {γ₁, δ₁}, . . . ,{γ_(K), δ_(K)} as the secret key sk (S190). For example, a statement Λindicating p, G₁, G₂, G_(T), e, g₁, and g₂, and g_(s), h_(s), g_(t),h_(t), g_(u), g_(v), h_(v), {g₁, h₁}, . . . , {g_(K), h_(K)} may be heldas the public key vk. Alternatively, a statement Λ indicating p, G₁, G₂,G_(T), e, g₁, and g₂, and g_(s), h_(s), g_(t), h_(t), e(g_(u), g_(v)),e(h_(u), h_(v)) {g₁, h₁}, . . . , {g_(K), h_(K)} may be held as thepublic key vk.

The signature generating unit 120 selects ζ and ρ at random fromintegers between 0 and p−1, both inclusive, obtains w, s, t, and r asgiven below, and generates data that includes w, s, t, and r as thesignature σ (S120).

${w = g_{1}^{\zeta}},{s = g_{2}^{\rho}},{t = \left( {g_{2}^{{\delta_{u} \cdot \delta_{v}} - {\delta_{s} \cdot \rho}}{\prod_{k = 1}^{K}m_{k}^{- \gamma_{k}}}} \right)^{1/\delta_{t}}}$$r = \left( {{g_{2}^{{\gamma_{u} \cdot \gamma_{v}} - {\gamma_{s} \cdot \rho}} \cdot t^{- \gamma_{t}}}{\prod_{k = 1}^{K}m_{k}^{- \gamma_{k}}}} \right)^{1/\zeta}$

The message M for which the signature is made consists of K elements ofgroup G₁. Ordinary messages are integers of any length, but the messageM in the present invention consists of K elements of group G₁. If amessage for which a signature is made is short, the message M should becreated by padding so as to have K elements of group G₁. One of theelements of group G₁ should be chosen beforehand as the value to bepadded with. The signature input-output unit 180 sends the signature σ athrough the network 800 to the verification device 200 (S180).

The verification device 200 comprises at least a verification recordingunit 290 and a verifying unit 210. The verification recording unit 290records the public key vk (S290). The verification device 200 may alsocomprise a verification input-output unit 280 that exchanges datathrough the network 800. The verification input-output unit 280 receivesthe signature σ through the network 800 (S280 ).

The verifying unit 210 checks whether the following two equations aresatisfied.

e(g _(u) ,g _(v))=e(g _(s) ,s)e(g _(t) ,t)(Π_(k=1) ^(K) e(g _(k) ,m_(k)))e(w,r),

e(h _(u) ,h _(v))=e(h _(s,) s)e)(h _(t) ,t)Π_(k=1) ^(K) e(h _(k) ,m_(k))

If the two equations are satisfied, the verifying unit 210 determinesthat the signature is correct. If at least one of the two equations isnot satisfied, the verifying unit 210 determines that the signature isincorrect (S210).

Description of Verification Equations

The left side of the first verification equation above is given asfollows.

$\begin{matrix}{{e\left( {g_{u},g_{v}} \right)} = {e\left( {g_{1}^{\gamma_{u}},g_{2}^{\gamma_{v}}} \right)}} \\{= {e\left( {g_{1},g_{2}} \right)}^{\gamma_{u} \cdot \gamma_{v}}}\end{matrix}$

The right side is given as follows.

${{e\left( {g_{s},s} \right)}{e\left( {g_{t},t} \right)}\left( {\prod\limits_{k = 1}^{K}\; {e\left( {g_{k},m_{k}} \right)}} \right){e\left( {w,r} \right)}} = {{{e\left( {g_{1}^{\gamma_{s}},g_{2}^{\rho}} \right)}{e\left( {g_{1}^{\gamma_{t}},\left( {g_{2}^{{\delta_{u} \cdot \delta_{v}} - {\delta_{s} \cdot \rho}}{\prod\limits_{k = 1}^{K}\; m_{k}^{- \delta_{k}}}} \right)^{1/\delta_{t}}} \right)}\left( {\prod\limits_{k = 1}^{K}\; {e\left( {g_{1}^{\gamma_{k}},m_{k}} \right)}} \right){e\left( {g_{1}^{\zeta},\left( {{g_{2}^{{\gamma_{u} \cdot \gamma_{v}} - {\gamma_{s} \cdot \rho}} \cdot t^{- \gamma_{t}}}{\prod\limits_{k = 1}^{K}m_{k}^{- \gamma_{k}}}} \right)^{1/\zeta}} \right)}} = {{{e\left( {g_{1},g_{2}} \right)}^{\gamma_{s} \cdot \rho}{e\left( {g_{1}^{\gamma_{t}},\left( g_{2}^{{\delta_{u} \cdot \delta_{v}} - {\delta_{s} \cdot \rho}} \right)^{1/\delta_{t}}} \right)}{e\left( {g_{1}^{\gamma_{t}},\left( {\prod\limits_{k = 1}^{K}\; m_{k}^{- \delta_{k}}} \right)^{1/\delta_{t}}} \right)}\left( {\prod\limits_{k = 1}^{K}\; {e\left( {g_{1}^{\gamma_{k}},m_{k}} \right)}} \right){e\left( {g_{1}^{\zeta},\left( {{g_{2}^{{\gamma_{u} \cdot \gamma_{v}} - {\gamma_{s} \cdot \rho}} \cdot \left( {g_{2}^{{\delta_{u} \cdot \delta_{v}} - {\delta_{s} \cdot \rho}}{\prod\limits_{k = 1}^{K}m_{k}^{- \delta_{k}}}} \right)^{{- \gamma_{t}}/\delta_{t}}}{\prod\limits_{k = 1}^{K}\; m_{k}^{- \gamma_{k}}}} \right)^{1/\zeta}} \right)}} = {{{e\left( {g_{1},g_{2}} \right)}^{{\gamma_{s} \cdot \rho} + {\gamma_{t} \cdot {{({{\delta_{u} \cdot \delta_{v}} - {\delta_{s} \cdot \rho}})}/\delta_{t}}}}{e\left( {g_{1},g_{2}} \right)}^{\zeta \cdot {{({{\gamma_{u} \cdot \gamma_{v}} - {\gamma_{s} \cdot \rho} - {\gamma_{t} \cdot {{({{\delta_{u} \cdot \delta_{v}} - {\delta_{s} \cdot \rho}})}/\delta_{t}}}})}/\zeta}}{\prod\limits_{k = 1}^{K}\; {{e\left( {g_{1},m_{k}} \right)}^{\gamma_{k}}{\prod\limits_{k = 1}^{K}\; {{e\left( {g_{1},m_{k}} \right)}^{\zeta \cdot {{({- \gamma_{k}})}/\zeta}}{e\left( {g_{1},\left( {\prod\limits_{k = 1}^{K}\; m_{k}^{- \delta_{k}}} \right)} \right)}^{\gamma_{t}/\delta_{t}}{e\left( {g_{1},\left( {\prod\limits_{k = 1}^{K}\; m_{k}^{- \delta_{k}}} \right)} \right)}^{\zeta \cdot {{({{- \gamma_{t}}/\delta_{t}})}/\zeta}}}}}}} = {e\left( {g_{1},g_{2}} \right)}^{\gamma_{u} \cdot \gamma_{v}}}}}$

Accordingly, if the signature is correct, the first equation issatisfied. The left side of the second equation is given as follows.

$\begin{matrix}{{e\left( {h_{u},h_{v}} \right)} = {e\left( {g_{1}^{\delta_{u}},g_{2}^{\delta_{v}}} \right)}} \\{= {e\left( {g_{1},g_{2}} \right)}^{\delta_{u} \cdot \delta_{v}}}\end{matrix}$

The right side is given as follows.

${{e\left( {h_{s},s} \right)}{e\left( {h_{t},t} \right)}{\prod\limits_{k = 1}^{K}\; {e\left( {h_{k},m_{k}} \right)}}} = {{{e\left( {g_{1}^{\delta_{s}},g_{2}^{\rho}} \right)}{e\left( {g_{1}^{\delta_{t}},\left( {g_{2}^{{\delta_{u} \cdot \delta_{v}} - {\delta_{s} \cdot \rho}}{\prod\limits_{k = 1}^{K}\; m_{k}^{- \delta_{k}}}} \right)^{1/\delta_{t}}} \right)}{\prod\limits_{k = 1}^{K}{e\left( {g_{1}^{\delta_{k}},m_{k}} \right)}}} = {{{e\left( {g_{1},g_{2}} \right)}^{\delta_{s} \cdot \rho}{e\left( {g_{1},g_{2}} \right)}^{\delta_{t} \cdot {{({{\delta_{u} \cdot \delta_{v}} - {\delta_{s} \cdot \rho}})}/\delta_{t}}}{\prod\limits_{k = 1}^{K}\; {{e\left( {g_{1},m_{k}} \right)}^{\delta_{t} \cdot {{({- \delta_{k}})}/\delta_{t}}}{\prod\limits_{k = 1}^{K}\; {e\left( {g_{1},m_{k}} \right)}^{\delta_{k}}}}}} = {e\left( {g_{1},g_{2}} \right)}^{\delta_{u} \cdot \delta_{v}}}}$

Accordingly, if the signature is correct, the second equation issatisfied.

Reason why security is provided even with symmetric bilinear mapping

Since symmetric bilinear mapping gives

$\begin{matrix}{{{e\left( {g_{1},g_{2}} \right)}{e\left( {g_{2},g_{1}^{- 1}} \right)}} = {{e\left( {g_{1},g_{2}} \right)}{e\left( {g_{2},g_{1}} \right)}^{- 1}}} \\{= 1}\end{matrix}$

multiplying by e(g₁, g₂)e(g₂, g₁ ⁻¹) does not change the result ofoperations on the groups. For example, the first verification equationcan be converted as follows.

${{e\left( {g_{u},g_{v\;}} \right)} = {{e\left( {g_{s},s} \right)}{e\left( {g_{t},t} \right)}\left( {\prod\limits_{k = 1}^{K}\; {e\left( {g_{k},m_{k}} \right)}} \right){e\left( {w,r} \right)}}},{= {{{e\left( {g_{s},s} \right)}{e\left( {g_{t},t} \right)}{e\left( {g_{1},m_{1}} \right)}{e\left( {g_{2},m_{2}} \right)}\mspace{14mu} \ldots \mspace{14mu} {e\left( {g_{K},m_{K}} \right)}{e\left( {w,r} \right)}} = {{{e\left( {g_{s},s} \right)}{e\left( {g_{t},t} \right)}{e\left( {g_{1},m_{1}} \right)}{e\left( {g_{1},g_{2}} \right)}{e\left( {g_{2},g_{1}^{- 1}} \right)}{e\left( {g_{2},m_{2}} \right)}\mspace{14mu} \ldots \mspace{14mu} {e\left( {g_{K},m_{K}} \right)}{e\left( {w,r} \right)}} = {{e\left( {g_{s},s} \right)}{e\left( {g_{t\;},t} \right)}{e\left( {g_{1},{m_{1}g_{2}}} \right)}{e\left( {g_{2},{m_{2}g_{1}^{- 1}}} \right)}\mspace{14mu} \ldots \mspace{14mu} {e\left( {g_{K},m_{K}} \right)}{e\left( {w,r} \right)}}}}}$

It means that the first equation is satisfied even for a messageM′=(m′₁, m′₂, . . . , m_(K)) that includes m′₁ and m′₂ which are givenby m′₁=m₁g₂ and m′₂=m₂g₁ ⁻¹. Accordingly, with symmetric bilinearmapping, the security of the signature cannot be ensured by the singleequation alone.

The second equation for the message M′ will be considered next. Theright side of the second equation is given as follows.

e(h_(s), s)e(h_(t), t)e(h₁, m₁^(′))e(h₂, m₂^(′))  …  e(h_(K), m_(K)) = e(h_(s), s)e(h_(t), t)e(h₁, m₁g₂)e(h₂, m₂g₁⁻¹)  …  e(h_(K), m_(K)) = e(h_(s), s)e(h_(t), t)e(h₁, m₁)e(h₁, g₂)e(h₂, g₁⁻¹)e(h₂, m₂)  …  e(h_(K), m_(K))

Since e(h₁, g₂)e(h₂, g₁ ⁻¹) is not 1, the equation does not match theleft side, e(h_(u), h_(v)). That is, the second equation is notsatisfied. Accordingly, by using the two verification equations,security can be ensured even with symmetric bilinear mapping.

Effects

The signature verification system according to the present inventionuses the two verification equations for verification and can ensuresecurity even with symmetric bilinear mapping, like the method inNon-patent literature 3. Accordingly, an encryption protocol can beefficiently configured by combining the digital signature of the presentinvention with elements (a public key encryption method, commitment,etc.) of a different encryption protocol, generated on groups based onsymmetric bilinear mapping. Moreover, since the signature c consists offour group elements w, s, t, and r, the signature length is shorter thanthat in Non-patent literature 3, which requires seven group elements.The number of pairing operations in verification can be reduced to 7+2K.Accordingly, the amount of computation becomes smaller than that for 1030 2K operations in Non-patent literature 3.

Modification

A modification will be described also with reference to FIGS. 1 to 3. Asignature verification system of the modification comprises at least asignature device 100′ and a verification device 200′. The conditions ofthe groups and variables are the same as those in the first embodimentexcept that γ_(u) and γ_(v) are set to 0. In that case, g_(u)=g_(v)=1and e(g_(u), g_(v))=1, and the public key vk does not require anyinformation to obtain e(g_(u), g_(v)). The secret key sk does notrequire γ_(u) or γ_(v). A signature generating unit 120′ should obtain ras follows.

$r = \left( {{g_{2}^{{- \gamma_{s}} \cdot \rho} \cdot t^{- \gamma_{t}}}{\prod\limits_{k = 1}^{K}\; m_{k}^{- \gamma_{k}}}} \right)^{1/\zeta}$

A verifying unit 210′ should check whether the two equations given beloware satisfied.

1=e(g _(s) ,s)e(g _(t) ,t)(Π_(k=1) ^(K) e(g _(k) ,m _(k)))e(w,r),

e(h _(u) ,h _(v))=e(h _(s,) s)e(h _(t) ,t)Π_(k=1) ^(K) e(h _(k) ,m _(k))

In other words, the signature verification system of the presentinvention can be modified to a signature verification system that doesnot use γ_(u), γ_(v), g_(u), or g_(v), as follows.

A key generating unit 110′ selects γ_(s), δ_(s), γ_(t), δ_(t), δ_(u),δ_(v), {γ₁, δ₁}, . . . , {γ_(K), δ_(K)} from integers between 0 and p−1,both inclusive. The selection should be made at random. Then, g_(s),h_(s), g_(t), h_(t), h_(u), h_(v), {g₁, h₁}, . . . , {g_(K), h_(K)} areobtained as follows (S110′):

g_(s) = g₁{circumflex over ( )}γ_(s) h_(s) = g₁{circumflex over( )}δ_(s) g_(t) = g₁{circumflex over ( )}γ_(t) h_(t) = g₁{circumflexover ( )}δ_(t) h_(u) = g₁{circumflex over ( )}δ_(u) h_(v) =g₂{circumflex over ( )}δ_(v) g_(k) = g₁{circumflex over ( )}γ_(k) h_(k)= g₁{circumflex over ( )}δ_(k) (k = 1, . . . , K)

A signature recording unit 190′ records information indicating p, G₁,G₂, G_(T), e, g₁, and g₂, information needed to obtain e(h_(u), h_(v)),and data that includes g_(s), h_(s), g_(t), h_(t), {g₁, h₁}, . . . ,{g_(K), h_(K)} as the public key vk and records data that includes vk,γ_(s), δ_(s), γ_(t), δ_(t), δ_(u), δ_(v), {γ_(K), δ_(K)} as the secretkey sk (S190′). For example, a statement Λ indicating p, G₁, G₂, G_(T),e, g₁ , and g₂, and g_(s), h_(s), g_(t), h_(t), h_(u), h_(v), {g₁, h₁},. . . , {g_(K), h_(K)} may be held as the public key vk. Alternatively,a statement Λ indicating p, G₁, G₂, G_(T), e, g₁, and g₂, and g₂, andg_(s), h_(s), g_(t), h_(t), e(h_(u), h_(v)), {g₁, h₁}, . . . , {g_(K),h_(K)} may be held as the public key vk.

The signature generating unit 120′ selects ζ and ρ at random fromintegers between 0 and p−1, both inclusive, obtains w, s, t, and r,given as follows, and generates, as a signature σ, data that includes w,s, t, and r (S120′).

${w = g_{1}^{\zeta}},{s = g_{2}^{\rho}},{t = \left( {g_{2}^{{\delta_{u} \cdot \delta_{v}} - {\delta_{s} \cdot \rho}}{\prod\limits_{k = 1}^{K}\; m_{k}^{- \delta_{k}}}} \right)^{1/\delta_{t}}}$$r = \left( {{g_{2}^{{- \gamma_{s}} \cdot \rho} \cdot t^{- \gamma_{t}}}{\prod\limits_{k = 1}^{K}\; m_{k}^{- \gamma_{k}}}} \right)^{1/\zeta}$

A signature input-output unit 180′ sends the signature σ through thenetwork 800 to the verification device 200′ (S180′).

The verification device 200′ comprises at least a verification recordingunit 290′ and the verifying unit 210′. The verification recording unit290′ records the public key vk (S290′). The verification device 200′ maycomprise a verification input-output unit 280′ that exchanges datathrough the network 800. The verification input-output unit 280′receives the signature σ through the network 800 (S280′).

The verifying unit 210′ checks whether the following two verificationequations are satisfied.

1=e(g _(s) ,s)e(g _(t) ,t)(Π_(k=1) ^(K) e(g _(k) ,m _(k)))e(w,r),

e(h _(u) ,h _(v))=e(h _(s) ,s)e(h _(t) ,t)Π_(k=1) ^(K) e(h _(k) ,m _(k))

If the two equations are satisfied, the verifying unit 210′ determinesthat the signature is correct; if at least one of the two equations isnot satisfied, the verifying unit 210′ determines that the signature isincorrect (S210′).

The modification differs from the first embodiment just in that γ_(u)and γ_(v) are set to 0. In that case, since g_(u)=g_(v)=1 and e(g_(u),g_(v))=1, if the signature is correct, the two equations given above aresatisfied.

Like the method in non-patent literature 3, the modification uses thetwo verification equations in verification and can ensure security evenwith symmetric bilinear mapping. In addition, because the signature σconsists of four group elements w, s, t, and r, the signature is shorterthan that in Non-patent literature 3, which requires seven groupelements. Moreover, the number of paring operations in verification canbe reduced to 6+2K. Accordingly, the amount of computation becomessmaller than that for 10+2K operations in Non-patent literature 3.

Program, Recording Medium

Each type of processing described above may be executed not only timesequentially according to the order of description but also in parallelor individually when necessary or according to the processingcapabilities of the devices that execute the processing. Appropriatechanges can be made to the above embodiments without departing from thescope of the present invention.

When the configurations described above are implemented by a computer,the processing details of the functions that should be provided by eachdevice are described in a program. When the program is executed by acomputer, the processing functions described above are implemented onthe computer.

The program containing the processing details can be recorded in acomputer-readable recording medium. The computer-readable recordingmedium can be any type of medium, such as a magnetic storage device, anoptical disc, a magneto-optical recording medium, or a semiconductormemory.

This program is distributed by selling, transferring, or lending aportable recording medium such as a DVD or a CD-ROM with the programrecorded on it, for example. The program may also be distributed bystoring the program in a storage unit of a server computer andtransferring the program from the server computer to another computerthrough the network.

A computer that executes this type of program first stores the programrecorded on the portable recording medium or the program transferredfrom the server computer in its storage unit. Then, the computer readsthe program stored in its storage unit and executes processing inaccordance with the read program. In a different program execution form,the computer may read the program directly from the portable recordingmedium and execute processing in accordance with the program, or thecomputer may execute processing in accordance with the program each timethe computer receives the program transferred from the server computer.Alternatively, the above-described processing may be executed by aso-called application service provider (ASP) service, in which theprocessing functions are implemented just by giving program executioninstructions and obtaining the results without transferring the programfrom the server computer to the computer. The program of this formincludes information that is provided for use in processing by thecomputer and is treated correspondingly as a program (something that isnot a direct instruction to the computer but is data or the like thathas characteristics that determine the processing executed by thecomputer).

In the description given above, the devices are implemented by executingthe predetermined programs on the computer, but at least a part of theprocessing details may be implemented by hardware.

INDUSTRIAL APPLICABILITY

The present invention can be used as a basic element in a variety ofencryption protocols used for electronic money, credentials systems, andthe like.

DESCRIPTION OF REFERENCE NUMERALS

100, 100′: Signature device

110, 110′: Key generating unit

120, 120′: Signature generating unit

180, 180′: Signature input-output unit

190, 190′: Signature recording unit

200, 200′: Verification device

210, 210′: Verifying unit

280, 280′: Verification input-output unit

290, 290′: Verification recording unit

800: Network.

1. A signature verification system comprising: a signature device whichgenerates a signature, and a verification device which verifies thesignature, the signature device comprising: a signature recording unitwhich records information indicating p, G₁, G₂, G_(T, e, g) ₁, and g₂,information needed to obtain e(g_(u), g_(v)) and e(h_(u), h_(v)), anddata that includes g_(s), h_(s), g_(t), h_(t), {g₁, h₁}, . . . , {g_(K),h_(K)} as a public key vk and records data that includes vk, γ_(s),δ_(s), γ_(t), δ_(t), γ_(u), δ_(u), γ_(v), δ_(v), {γ₁, δ₁}, . . . ,{γ_(K), δ_(K)} as a secret key sk; and a signature generating unit whichselects ζ and ρ at random from integers between 0 and p−1, bothinclusive, obtains w, s, t, and r, as given below,${w = g_{1}^{\zeta}},{s = g_{2}^{\rho}},{t = \left( {g_{2}^{{\delta_{u} \cdot \delta_{v}} - {\delta_{s} \cdot \rho}}{\prod\limits_{k = 1}^{K}\; m_{k}^{- \delta_{k}}}} \right)^{1/\delta_{t}}}$$r = \left( {{g_{2}^{{\gamma_{u} \cdot \gamma_{v}} - {\gamma_{s} \cdot \rho}} \cdot t^{- \gamma_{t}}}{\prod\limits_{k = 1}^{K}\; m_{k}^{- \gamma_{k}}}} \right)^{1/\zeta}$and generates, as a signature σ, data that includes w, s, t, and r; andthe verification device comprising: a verification recording unit whichrecords the public key vk; and a verifying unit which checks whether twoequationse(g _(u) ,g _(v))=e(g _(s) ,s)e(g _(t) ,t)(Π_(k=1) ^(K) e(g _(k) ,m_(k)))e(w,r),e(h _(u) ,h _(v))=e(h _(s,) s)e)(h _(t) ,t)Π_(k=1) ^(K) e(h _(k) ,m_(k)) are satisfied, and which determines that the signature is correctwhen the two equations are satisfied, or determines that the signatureis incorrect when at least one of the two equations is not satisfied,where G₁, G₂, and G_(T) represent groups of order p, e representspairing of G₁×G₂→G_(T), g₁ represents any generator of group G₁, g₂represents any generator of group G₂, K represents a predeterminedinteger not smaller than 1, k represents an integer between 1 and K,both inclusive, m₁, . . . , m_(K) represent elements of group G₁,message M is M=(m₁, . . . , m_(K)), ̂ represents a power; γ_(s), δ_(s),γ_(t), δ_(t), γ_(u), δ_(u), γ_(v), δ_(v), {γ₁, δ₁}, . . . , {γ_(K),δ_(K)} are integers between 0 and p−1, both inclusive; and g_(s), h_(s),g_(t), h_(t), g_(u), h_(u), g_(v), h_(v), {g₁, h₁}, . . . , {g_(K),h_(K)} are given as follows: g_(s)=g₁̂γ_(s)h_(s)=g₁̂δ_(s)g_(t)=g₁̂γ_(t)h_(t)=g₁̂δ_(t) g_(u)=g₁̂γ_(u)h_(u)=g₁̂δ_(u)g_(v)=g₂̂γ_(v)h_(v)=g₂̂δ_(v) g_(k)=g₁̂γ_(k)h_(k)=g₁̂δ_(k) where k=1, . .. , K.
 2. A signature verification system comprising: a signature devicewhich generates a signature, and a verification device which verifiesthe signature, the signature device comprising: a signature recordingunit which records information indicating p, G₁, G₂, G_(T), e, g₁, andg₂, information needed to obtain e(h_(u), h_(v)), and data that includesg_(s), h_(s), g_(t), h_(t), {g₁, h₁}, . . . , {g_(K), h_(K)} as a publickey vk and records data that includes vk, γ_(s), δ_(t), γ_(t), δ_(t),δ_(u), δ_(v), {γ₁, δ₁}, . . . , {γ_(K), δ_(K)} as a secret key sk; and asignature generating unit which selects ζ and ρ at random from integersbetween 0 and p−1, both inclusive, obtains w, s, t, and r, as givenbelow,${w = g_{1}^{\zeta}},{s = g_{2}^{\rho}},{t = \left( {g_{2}^{{\delta_{u} \cdot \delta_{v}} - {\delta_{s} \cdot \rho}}{\prod\limits_{k = 1}^{K}\; m_{k}^{- \delta_{k}}}} \right)^{1/\delta_{t}}}$$r = \left( {{g_{2}^{{- \gamma_{s}} \cdot \rho} \cdot t^{- \gamma_{t}}}{\prod\limits_{k = 1}^{K}\; m_{k}^{- \gamma_{k}}}} \right)^{1/\zeta}$and generates, as a signature σ, data that includes w, s, t, and r; andthe verification device comprising: a verification recording unit whichrecords the public key vk; and a verifying unit which checks whether twoequations1=e(g _(s) , s)e(g _(t) ,t)(Π_(k=1) ^(K) e(g _(k) ,m _(k)))e(w,r),e(h _(u) ,h _(v))=e(h _(s) ,s)e(h _(t) ,t)Π_(k=1) ^(K) e(h _(k) ,m _(k))are satisfied, and which determines that the signature is correct whenthe two equations are satisfied, or determines that the signature isincorrect when at least one of the two equations is not satisfied, whereG₁, G₂, and G_(T) represent groups of order p, e represents pairing ofG₁×G₂→G_(T), g₁ represents any generator of group G₁, g₂ represents anygenerator of group G₂, K represents a predetermined integer not smallerthan 1, k represents an integer between 1 and K, both inclusive, m₁, . .. , m_(K) represent elements of group G₁, message M is M=(m₁, . . . ,m_(K)), ̂ represents a power; γ_(s), δ_(s), γ_(t), δ_(t), δ_(u), δ_(v),{γ₁, δ₁}, . . . , {γ_(K), δ_(K)} are integers between 0 and p−1, bothinclusive; and g_(s), h_(s), g_(t), h_(t), h_(u), h_(v), {g₁, h₁}, . . ., {g_(K), h_(K)} are given as follows: g_(s)=g₁̂γ_(s)h_(s)=g₁̂δ_(s)g_(t)=g_(t)̂γ_(t)h_(t)=g₁̂δ_(t) h_(u)=g₁̂δ_(u) h_(v)=g₂̂δ_(v)g_(k)=g₁̂γ_(k)h_(k)=g₁̂δ_(k) where k=1, . . . , K.
 3. A signature devicecomprising: a signature recording unit which records informationindicating p, G₁, G₂, G_(T), e, g₁, and g₂, information needed to obtaine(g_(u), g_(v)) and e(h_(u), h_(v)), and data that includes g_(s),h_(s), g_(t), h_(t), {g₁, h₁}, . . . , {g_(K), h_(K)} as a public key vkand records data that includes vk, γ_(s), δ_(s), γ_(t), δ_(t), γ_(u),δ_(u), γ_(v), δ_(v), {γ₁, δ₁}, . . . , {γ_(K), δ_(K)} as a secret keysk; and a signature generating unit which selects and p at random fromintegers between 0 and p−1, both inclusive, obtains w, s, t, and r, asgiven below,${w = g_{1}^{\zeta}},{s = g_{2}^{\rho}},{t = \left( {g_{2}^{{\delta_{u} \cdot \delta_{v}} - {\delta_{s} \cdot \rho}}{\prod\limits_{k = 1}^{K}\; m_{k}^{- \delta_{k}}}} \right)^{1/\delta_{t}}}$$r = \left( {{g_{2}^{{\gamma_{u} \cdot \gamma_{v}} - {\gamma_{s} \cdot \rho}} \cdot t^{- \gamma_{t}}}{\prod\limits_{k = 1}^{K}\; m_{k}^{- \gamma_{k}}}} \right)^{1/\zeta}$and generates, as a signature σ, data that includes w, s, t, and r;where G₁, G₂, and G_(T) represent groups of order p, e representspairing of G₁×G₂→G_(T), g₁ represents any generator of group G₁, g₂represents any generator of group G₂, K represents a predeterminedinteger not smaller than 1, k represents an integer between 1 and K,both inclusive, m₁, . . . , m_(K) represent elements of group G₁,message M is M=(m₁, . . . , m_(K)), ̂ represents a power; γ_(s), δ_(s),γ_(t), δ_(t), γ_(u), δ_(u), γ_(v), δ_(v), {γ₁, δ₁}, . . . , {_(K),δ_(K)} are integers between 0 and p−1, both inclusive; and g_(s), h_(s),g_(t), h_(t), g_(u), h_(u), g_(v), h_(v), {g₁, h₁}, . . . , {g_(K),h_(K)} are given as follows: g_(s)=g₁̂γ_(s)h_(s)=g₁̂δ_(s)g_(t)=g₁̂γ_(t)h_(t)=g₁̂δ_(t) g_(u)=g₁̂γ_(u)h_(u)=g₁̂δ_(u)g_(v)=g₂̂γ_(v)h_(v)=g₂̂δ_(v) g_(k)=g₁̂γ_(k)h_(k)=g₁̂δ_(k) where k=1, . .. , K.
 4. A signature device comprising: a signature recording unitwhich records information indicating p, G₁, G₂, G_(T), e, g₁, and g₂,information needed to obtain e(h_(u), h_(v)), and data that includesg_(s), h_(s), g_(t), h_(t), {g₁, h₁}, . . . , {g_(K), h_(K)} as a publickey vk and records data that includes vk, γ_(s), δ_(s), γ_(t), δ_(t),δ_(u), δ_(v), {γ₁, δ₁}, . . . , {γ_(K), δ_(K)} as a secret key sk; and asignature generating unit which selects and ζ and ρ at random fromintegers between 0 and p−1, both inclusive, obtains w, s, t, and r, asgiven below,${w = g_{1}^{\zeta}},{s = g_{2}^{\rho}},{t = \left( {g_{2}^{{\delta_{u} \cdot \delta_{v}} - {\delta_{s} \cdot \rho}}{\prod\limits_{k = 1}^{K}\; m_{k}^{- \delta_{k}}}} \right)^{1/\delta_{t}}}$$r = \left( {{g_{2}^{{- \gamma_{u}} \cdot \rho} \cdot t^{- \gamma_{t}}}{\prod\limits_{k = 1}^{K}\; m_{k}^{- \gamma_{k}}}} \right)^{1/\zeta}$and generates, as a signature σ, data that includes w, s, t, and r;where G₁, G₂, and G_(T) represent groups of order p, e representspairing of G₁×G₂→G_(T), g₁ represents any generator of group G₁, g₂represents any generator of group G₂, K represents a predeterminedinteger not smaller than 1, k represents an integer between 1 and K,both inclusive, m₁, . . . , m_(K) represent elements of group G₁,message M is M=(m₁, . . . , m_(K)), ̂ represents a power; γ_(s), δ_(s)s,γ_(t), δ_(t), δ_(u), δ_(v), {γ₁, δ₁}, . . . , {γ_(K), δ_(K)} areintegers between 0 and p−1, both inclusive; and g_(s), h_(s), g_(t),h_(t), h_(u), h_(v), {g₁, h₁}, . . . , {g_(K), h_(K)} are given asfollows: g_(s)=g₁̂γ_(s)h_(s)=g₁̂δ_(s) g_(t)=g₁̂γ_(t)h_(t)=g₁̂δ_(t)h_(u)=g₁̂δ_(u) h_(v)=g₂̂δ_(v) g_(k)=g₁̂γ_(k)h_(k)=g₁̂δ_(k) where k=1, .. . , K.
 5. A verification device comprising: a verification recordingunit which records information indicating p, G₁, G₂, G_(T), e, g₁, andg₂, information needed to obtain e(g_(u), g_(v)) and e(h_(u), h_(v)),and data that includes g_(s), h_(s), g_(t), h_(t), {g₁, h₁}, . . . ,{g_(K), h_(K)} as a public key vk; and a verifying unit which checkswhether two equationse(g _(u) ,g _(v))=e(g _(s) ,s)e(g _(t) ,t)(Π_(k=1) ^(K) e(g _(k) ,m_(k)))e(w,r),e(h _(u) ,h _(v))=e(h _(s) ,s)e)(h _(t) ,t)Π_(k=1) ^(K) e(h _(k) ,m_(k)) are satisfied, and which determines that the signature is correctwhen the two equations are satisfied, or determines that the signatureis incorrect when at least one of the two equations is not satisfied,where G₁, G₂, and G_(T) represent groups of order p, e representspairing of G₁×G₂→G_(T), g₁ represents any generator of group G₁, g₂represents any generator of group G₂, K represents a predeterminedinteger not smaller than 1, k represents an integer between 1 and K,both inclusive, m₁, . . . , m_(K) represent elements of group G₁,message M is M=(m₁, . . . , m_(K)), w is an element of group G₁, s, t,and r are elements of group G₂, a signature verified by the verificationdevice is a data including w, s, t, and r, ̂ represents a power; γ_(s),δ_(s), γ_(t), δ_(t), γ_(u), δ_(u), γ_(v), δ_(v), {γ₁, δ_(t)}, . . . ,{γ_(K), δ_(K)} are integers between 0 and p−1, both inclusive; andg_(s), h_(s), g_(t), h_(t), g_(u), h_(u), g_(v), h_(v), {g₁, h₁}, . . ., {g_(K), h_(K)} are given as follows: g_(s)=g₁̂γ_(s)h_(s)=g₁̂δ_(s)g_(t)=g₁̂γ_(t)h_(t)=g₁̂δ_(t) g_(u)=g₁̂γ_(u)h_(u)=g₁̂δ_(u)g_(v)=g₂̂γ_(v)h_(v)=g₂̂δ_(v) g_(k)=g₁̂γ_(k)h_(k)=g₁̂δ_(k) where k=1, . .. , K.
 6. A verification device comprising: a verification recordingunit which records information indicating p, G₁, G₂, G_(T), e, g₁, andg₂, information needed to obtain e(h_(u), h_(v)), and data that includesg_(s), h_(s), g_(t), h_(t), {g₁, h₁}, . . . , {g_(K), h_(K)} as a publickey vk; and a verifying unit which checks whether two equations1e(g _(s) ,s)e(g _(t) ,t)(Π_(k=1) ^(K) e(g _(k) ,m _(k)))e(w,r),e(h _(u) ,h _(v))=e(h _(s,) s)e)(h _(t) ,t)Π_(k=1) ^(K) e(h _(k) ,m_(k)) are satisfied, and which determines that the signature is correctwhen the two equations are satisfied, or determines that the signatureis incorrect when at least one of the two equations is not satisfied,where G₁, G₂, and G_(T) represent groups of order p, e representspairing of G₁×G₂→G_(T), g₁ represents any generator of group G₁, g₂represents any generator of group G₂, K represents a predeterminedinteger not smaller than 1, k represents an integer between 1 and K,both inclusive, m₁, . . . , m_(K) represent elements of group G₁,message M is M=(m₁, . . . , m_(K)), w is an element of group G₁, s, t,and r are elements of group G₂, a signature verified by the verificationdevice is a data including w, s, t, and r, ̂ represents a power; γ_(s),δ_(s), γ_(t), δ_(t), δ_(u), δ_(v), {γ₁, δ₁}, . . . , {_(K), δ_(K)} areintegers between 0 and p−1, both inclusive; and g_(s), h_(s), g_(t),h_(t), h_(u), h_(v), {g₁, h₁}, . . . , {g_(K), h_(K)} are given asfollows: g_(s)=g₁̂γ_(s)h_(s)=g₁̂δ_(s) g_(t)=g₁̂γ_(t)h_(t)=g₁̂δ_(t)h_(u)=g₁̂γ_(u) h_(v)=g₂̂γ_(v) g_(k)=g₁̂γ_(k)h_(k)=g₁̂δ_(k) where k=1, .. . , K.
 7. A signature verification method used with a signature devicewhich generates a signature and a verification device which verifies thesignature, the signature verification method comprising: a signaturerecording step in which the signature device records informationindicating p, G₁, G₂, G_(T), e, g₁, and g₂, information needed to obtaine(g_(u), g_(v)) and e(h_(u), h_(v)), and data that includes g_(s),h_(s), g_(t), h_(t), {g₁, h₁}, . . . , {g_(K), h_(K)} as a public key vkand records data that includes vk, γ_(s), δ_(s), γ_(t), δ_(t), γ_(u),δ_(v), γ_(v), δ_(v), {γ₁, δ₁}, . . . , {_(K), δ_(K)} as a secret key sk;a signature generating step in which the signature device selects ζ andρ at random from integers between 0 and p−1, both inclusive, obtains w,s, t, and r, as given below,${w = g_{1}^{\zeta}},{s = g_{2}^{\rho}},{t = \left( {g_{2}^{{\delta_{u} \cdot \delta_{v}} - {\delta_{s} \cdot \rho}}{\prod\limits_{k = 1}^{K}\; m_{k}^{- \delta_{k}}}} \right)^{1/\delta_{t}}}$$r = \left( {{g_{2}^{{\gamma_{u} \cdot \gamma_{v}} - {\gamma_{s} \cdot \rho}} \cdot t^{- \gamma_{t}}}{\prod\limits_{k = 1}^{K}\; m_{k}^{- \gamma_{k}}}} \right)^{1/\zeta}$and generates, as a signature σ, data that includes w, s, t, and r; averification recording step in which the verification device records thepublic key vk; and a verifying step in which the verification devicechecks whether two equationse(g _(u) ,g _(v))=e(g _(s) ,s)e(g _(t) ,t)(Π_(k=1) ^(K) e(g _(k) ,m_(k)))e(w,r),e(h _(u) ,h _(v))=e(h _(s,) s)e)(h _(t) ,t)Π_(k=1) ^(K) e(h _(k) ,m_(k)) are satisfied, and determines that the signature is correct whenthe two equations are satisfied, or determines that the signature isincorrect when at least one of the two equations is not satisfied, whereG₁, G₂, and G_(T) represent groups of order p, e represents pairing ofG₁×G₂→G_(T), g₁ represents any generator of group G₁, g₂ represents anygenerator of group G₂, K represents a predetermined integer not smallerthan 1, k represents an integer between 1 and K, both inclusive, m₁, . .. , m_(K) represent elements of group G₁, message M is M=(m₁, . . . ,m_(K)), ̂ represents a power; γ_(s), δ_(s), γ_(t), δ_(t), γ_(u), δ_(u),γ_(v), δ_(v), {γ₁, δ₁}, . . . , {γ_(K), δ_(K)} are integers between 0and p−1, both inclusive; and g_(s), h_(s), g_(t), h_(t), g_(u), h_(u),g_(v), h_(v), {g₁, h₁}, . . . , {g_(K), h_(K)} are given as follows:g_(s)=g₁̂γ_(s)h_(s)=g₁̂δ_(s) g_(t)=g₁̂γ_(t)h_(t)=g₁̂δ_(t)g_(u)=g₁̂γ_(u)h_(u)=g₁̂δ_(u) g_(v)=g₂̂γ_(v)h_(v)=g₂̂δ_(v)g_(k)=g₁̂γ_(k)h_(k)=g₁̂δ_(k) where k=1, . . . , K.
 8. A signatureverification method used with a signature device which generates asignature and a verification device which verifies the signature, thesignature verification method comprising: a signature recording step inwhich the signature device records information indicating p, G₁, G₂,G_(T), e, g_(t), and g₂, information needed to obtain e(h_(u), h_(v)),and data that includes g_(s), h_(s), g_(t), h_(t, {g) ₁, h₁}, . . . ,{g_(K), h_(K)} as a public key vk and records data that includes vk,γ_(s), δ_(s), γ_(t), δ_(u), δ_(v), {γ₁, δ₁}, . . . , {γ6 _(K), δ_(K)} asa secret key sk; a signature generating step in which the signaturedevice selects ζ and ρ at random from integers between 0 and p−1, bothinclusive, obtains w, s, t, and r, as given below,${w = g_{1}^{\zeta}},{s = g_{2}^{\rho}},{t = \left( {g_{2}^{{\delta_{u} \cdot \delta_{v}} - {\delta_{s} \cdot \rho}}{\prod\limits_{k = 1}^{K}\; m_{k}^{- \delta_{k}}}} \right)^{1/\delta_{t}}}$$r = \left( {{g_{2}^{{- \gamma_{u}} \cdot \rho} \cdot t^{- \gamma_{t}}}{\prod\limits_{k = 1}^{K}\; m_{k}^{- \gamma_{k}}}} \right)^{1/\zeta}$and generates, as a signature σ, data that includes w, s, t, and r; averification recording step in which the verification device records thepublic key vk; and a verifying step in which the verification devicechecks whether two equations1=e(g _(s) ,s)e(g _(t) ,t)(Π_(k=1) ^(K) e(g _(k) ,m _(k)))e(w,r),e(h _(u) ,h _(v))=e(h _(s,) s)e)(h _(t) ,t)Π_(k=1) ^(K) e(h _(k) ,m_(k)) are satisfied, and determines that the signature is correct whenthe two equations are satisfied, or it is determined that the signatureis incorrect when at least one of the two equations is not satisfied,where G₁, G₂, and G_(T) represent groups of order p, e representspairing of G₁×G₂→G_(T), g₁ represents any generator of group G₁, g₂represents any generator of group G₂, K represents a predeterminedinteger not smaller than 1, k represents an integer between 1 and K,both inclusive, m₁, . . . , m_(K) represent elements of group G₁,message M is M=(m₁, . . . , m_(K)), ̂ represents a power; γ_(s), δ_(s),γ_(t), δ_(t), δ_(u), δ_(v), {γ₁, δ₁}, . . . , {_(K), δ_(K)} are integersbetween 0 and −1, both inclusive; and g_(s), h_(s), g_(t), h_(t), h_(u),h_(u), g_(v), {g₁, h₁}, . . . , {g_(K), h_(K)} are given as follows:g_(s)=g₁̂γ_(s)h_(s)=g₁̂δ_(s) g_(t)=g₁̂γ_(t)h_(t)=g₁̂δ_(t) h_(u)=g₁̂δ_(u)h_(v)=g₂̂δ_(v) g_(k)=g₁̂γ_(k)h_(k)=g₁̂δ_(k) where k=1, . . . , K.